Mobile device for analyzing malicious code using a container platform, system for analyzing malicious code in a mobile device using the same, and method for analyzing malicious code using the same

ABSTRACT

A mobile device having a system for analyzing malicious code is provided. The mobile device includes a container agent generating at least one Android container executing Android malicious code for dynamic analysis in response to a request received from a cloud controller and checking a state of the at least one Android container, a Linux host, a hardware module containing an operating system (OS) for the Linux host, and an analysis agent detecting a problem occurring upon an operation of the Android malicious code in the at least one Android container through the Linux host, and transmitting information of kernel-related malicious code behavior to an analysis server.

CROSS-REFERENCE TO RELATED APPLICATION

This application claims priority to and the benefit of Korean PatentApplication No. 10-2017-0008996, filed on Jan. 19, 2017, the disclosureof which is incorporated herein by reference in its entirety.

BACKGROUND

The present disclosure relates to a mobile device for analyzingmalicious code using a container platform, a system for analyzingmalicious code in a mobile device, and a method for analyzing maliciouscode using a container platform, and more particularly, to a design fora mobile analysis using the Linux container technology. The “Linux,” asa well known trademark, refers to open-source software operating systemsbuilt around the Linux kernel.

Many bypass techniques using anti-emulator technology have beendeveloped for Android malicious code analysis platforms, such as Androidvirtual device (AVD) that is a virtualization platform and Android X86run in a quick emulator (QEMU)-based emulator. The “Android,” as a wellknown trademark, refers to a mobile operating system based on a modifiedversion of the Linux kernel.

The anti-emulator technology does not only distinguish between actualmobile hardware and emulated hardware information but also determineswhether eight sensor functions are provided for the distinguishment. Inorder to prevent such an anti-emulator, using an actual mobile devicerequires much cost to analyze a large amount of Android applications(apps) and also is inefficient.

Representatively, bare-metal, a real device with automation tools, anIntel-based Android version, and Virtualbox/VMware are being used.

Representative examples of bare-metal include AVD, Bluestack, AMIDuOS,Nox, and so on. QEMU is an emulator and a virtualization tool that maybe used to virtualize hardware of an Android virtual device, and anemulator may configure a virtual environment through QEMU.

A real device with automation tools makes it possible to execute allapplication programs without a problem of compatibility and thus is aneffective method of conducting an Android application analysis. Sincetechnology for bypassing an emulator environment develops withintellectualization of malicious code, a real device with automationtools ensures a safest analysis. However, there is a drawback ofdegraded efficiency.

An Intel-based Android version may be executed not only in a mobiledevice but also in a laptop computer and a personal computer (PC). Thereis an Android-x86 type, such as RemixOS. An intel-based Android versionis provided as an ISO file and may be executed in a virtualization tool,such as Virtualbox or VMware.

However, an existing Android malicious code analysis has the followingproblems.

Intelligent malicious code examines an emulator environment in variousways, such as a basic method of checking virtual environmentinformation, a method of examining a build environment, equipment, andhardware information, and other methods (e.g., checking whether thereis/dev/qemu_pipe or/dev/socket/qemud or checking qemu information usinga getdrop command). Since some apps do not operate in a rootedenvironment, it is difficult to analyze the apps on the basis of QEMU.

Further, an app analysis in a real Android device provides betterresults, but it is difficult to automate pre-analysis and post-analysisprocesses. Also, since it is difficult to enhance expandability andflexibility by applying an app analysis in a real Android device to acloud environment, an app analysis in a real Android device is notappropriate for an analysis environment.

SUMMARY OF THE DISCLOSURE

According to one of embodiment of the president disclosure, a mobiledevice for analyzing malicious code using a container platform isprovided. The mobile device includes a container agent generating atleast one Android container executing Android malicious code for dynamicanalysis in response to a request received from a cloud controller andchecking a state of the at least one Android container, a Linux host, ahardware module containing an operating system (OS) for the Linux host,and an analysis agent detecting a problem occurring upon an operation ofthe Android malicious code in the at least one Android container throughthe Linux host, and transmitting information of kernel-related maliciouscode behavior to an analysis server. The cloud controller manages the atleast one Android container through the container agent.

The mobile device further includes a monitoring server coupled to thecontainer agent and monitoring the state of the at least one Androidcontainer and resolving an analysis collision therein.

The mobile device further includes the analysis server performing adynamic analysis and a static analysis on the information ofkernel-related malicious code behavior from the analysis agent, andgenerating an Android package kit (APK) installation instruction to theat least one Android container.

The mobile device further includes a private picocell network providinga mobile network function to the at least one Android container. Theprivate picocell network includes a software-defined radio (SDR)-basedradio frequency (RF) transceiver, a picocell platform operating as apersonal mobile network which is accessible with a global system formobile communication (GSM) and/or long term evolution (LTE) module, anda management server collecting GSM/LTE information from the picocellplatform and detecting malicious behavior or watching a problem of thepersonal mobile network.

According to another embodiment of the present disclosure, a system foranalyzing malicious code in a mobile device is provided. The systemincludes a container agent generating at least one Android containerexecuting Android malicious code for dynamic analysis in response to arequest received from a cloud controller and checking a state of the atleast one Android container, a Linux host, a hardware module containingan operating system (OS) for the Linux host, and an analysis agentdetecting a problem occurring upon an operation of the Android maliciouscode in the at least one Android container through the Linux host, andtransmitting information of kernel-related malicious code behavior to ananalysis server. The cloud controller manages the at least one Androidcontainer through the container agent.

According to the other embodiment of the present disclosure, a methodfor analyzing malicious code using a container platform is provided. Themethod includes generating, by a container agent, at least one Androidcontainer executing Android malicious code for dynamic analysis inresponse to a request received from a cloud controller, identifying aproblem occurring upon an operation of the Android malicious code in theat least one Android container through a Linux host, detecting andtransmitting, by an analysis agent, information of kernel-relatedmalicious code behavior to an analysis server, and collecting analysisinformation from the analysis server.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other objects, features and advantages of the presentdisclosure will become more apparent to those of ordinary skill in theart by describing exemplary embodiments thereof in detail with referenceto the accompanying drawings, in which:

FIG. 1 is a conceptual diagram of a container platform for analyzingAndroid malicious code according to an exemplary embodiment of thepresent disclosure;

FIG. 2 is a detailed block diagram of the container platform foranalyzing Android malicious code shown in FIG. 1;

FIG. 3 is a block diagram of an Android compute node of FIG. 2;

FIG. 4 is a diagram illustrating container technology used in thepresent disclosure and virtualization technology in comparison with eachother; and

FIG. 5 is a flowchart of a method of securing a mobile device using acontainer platform for analyzing Android malicious code according to anexemplary embodiment of the present disclosure.

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

The following detailed description of the present disclosure refers tothe accompanying drawings which show, by way of illustration, exemplaryembodiments in which this disclosure may be practiced. These embodimentsare described in sufficient detail to enable those of ordinary skill inthe art to practice the present disclosure. Various embodiments of thepresent disclosure are to be understood as being different but notnecessarily as being mutually exclusive. For example, where a particularshape described, the structure and properties can be made in the contextof an embodiment implemented in other embodiments without departing fromthe spirit and scope of the disclosure. In addition, the individualcomponents within each disclosed embodiment or position are to beunderstood as being an arrangement that can be changed without departingfrom the spirit and scope of the disclosure. Therefore, the descriptionis not to be taken as limiting to the scope of the present disclosure,and instead the scope of the present disclosure is limited only by theappended claims along with the full range equal to those claims. In thedrawings, similar reference symbols denote the same or similarfunctionality throughout the various aspects.

Hereinafter, exemplary embodiments of the present disclosure will bedescribed in detail with reference to the drawings.

FIG. 1 is a conceptual diagram of a container platform for analyzingAndroid malicious code according to an exemplary embodiment of thepresent disclosure. FIG. 2 is a detailed block diagram of the containerplatform for analyzing Android malicious code shown in FIG. 1. FIG. 3 isa block diagram of an Android compute node of FIG. 2.

A container platform 1 for analyzing Android malicious code (referred toas “container platform” below) according to an exemplary embodiment ofthe present disclosure is a platform for analyzing Android maliciouscode on the basis of a container technique.

Specifically, the present disclosure proposes a platform that provideshigher speed than a virtualization-based method and is more flexiblethan a mobile device-based method as a new analysis and monitoringplatform for analyzing mobile malicious code.

Exemplary embodiments of the present disclosure employ Androidcontainers for analyzing Android applications instead of employingexisting solutions, such as quick emulator (QEMU)-based emulator,Android-x86, and a real mobile device.

Referring to FIG. 1, the container platform 1 according to an exemplaryembodiment of the present disclosure includes Android compute nodes 10,a cloud controller 30, an analysis server 50, and a private picocellnetwork (see FIG. 2).

The Android compute nodes 10 serve to generate Android containers andcollect analysis information from the Android container and a containerhost. The Android compute nodes 10 manage all the generated Androidcontainers.

The cloud controller 30 connects the Android compute nodes 10 andmanages the Android containers.

The analysis server 50 performs a dynamic analysis and/or a staticanalysis of Android malicious code and instructs the Android containerto install the Android package kit (APK).

The monitoring server 70 collects information sent by monitoring agentsrunning on the Android compute nodes 10 to monitor a state of eachAndroid container, and resolves analysis collision and other problems ofthe Android compute nodes 10.

The private picocell network provides a mobile network function to theAndroid containers.

Components of the container platform 1 of FIG. 1 and a relationshipamong the components will be described in further detail with referenceto FIG. 2. In FIGS. 2 and 3, one of the Android compute nodes 10 will berepresentatively described.

Referring to FIGS. 2 and 3, the Android compute node 10 includes acontainer agent 170, a hardware module 110, a Linux host 130, and ananalysis agent 150.

The Android compute node 10 may be a terminal or some modules of eachmobile device. Also, the container agent 170, the hardware module 110,the Linux host 130, and the analysis agent 150 may be formed as anintegrated module or as one or more modules. On the contrary, therespective components may be formed as separate modules.

The mobile device may be an Android device and may include various formsof mobile devices capable of wireless communication, such as a smartphone, a cellular phone, a tablet computer, a laptop computer, anetbook, a personal digital assistant (PDA), a portable multimediaplayer (PMP), a PlayStation portable (PSP), a moving picture expertsgroup (MPEG) layer 3 (MP3) player, an e-book reader, a navigationdevice, a smart camera, an electronic dictionary, an electronic watch, agame machine, and so on.

The mobile device has mobility and may be referred to by other terms,such as a device, an apparatus, a terminal, user equipment (UE), amobile station (MS), a wireless device, a handheld device, and so on.

The mobile device may execute various application programs on the basisof an operating system (OS). The OS is a system program for applicationprograms to use hardware of a terminal device, and exemplary embodimentsof the present disclosure may be based on the Android OS.

The application programs are programs developed to perform particulartasks using a mobile device and may not only include variousapplications, tools, process and service objects but also includevarious multimedia content, such as a game, a video, a photograph, etc.,and all player programs for playing the multimedia content, such as animage viewer, a video player, and so on.

The mobile device may display media data or provide a user interface(UI) to a user through a display section which is a display devicesupporting wireless communication.

The display section may include a liquid crystal display (LCD) panel, aplasma display panel (PDP), an organic light-emitting diode (OLED)display panel, and so on.

Also, a touch screen function may be included in the display section orprovided to a separate touchpad device to process user input.Alternatively, the mobile device may include an input section (notshown), such as a keypad, etc., which is formed separately from thedisplay section to receive an input of the user.

The container agent 170 generates one or more Android containers 101,102, and 103 that directly execute Android malicious code for dynamicanalysis in response to a request received from the cloud controller 30.

Also, the container agent 170 makes it possible to check states of theAndroid containers 101, 102, and 103 through connections between thecloud controller 30 and the Android containers 101, 102, and 103.

The Android containers 101, 102, and 103 may be plural in number and aredesigned to execute Android malicious code for dynamic analysis. Thestates of the Android containers 101, 102, and 103 may be generateddifferently according to an OS, a build version, a routine, a rootingstate, hardware information, and so on.

Container technology is a packaging technology for bundling up anapplication and elements required to execute the application on thebasis of OS virtualization. Since it is possible to run severalcontainers or move a container to another operating environment and runthe container, an application may be easily run and extended.

Another reason for the rapid emergence of the container technology isthat it helps the so-called “DevOps” that bridge the gap betweendevelopment and operations. In many cases, a problem occurs in a processof transferring and deploying a system created by a developer tooperating environments, and a startup time of the system is delayed.Using a container enables to implant a packaged application in anoperating environment as it is and execute the application.

Accordingly, a developer may further concentrate on development, and anadministrator may easily deploy and manage a system. An informationtechnology (IT) architect may scale infrastructure flexibly as necessarywhile reducing errors during testing and deployment of a system.

Container technology is very advantageous in terms of deployment rateand performance. A container has an about ten times degree ofintegration than that of a virtual machine (VM). While ten VMs areinstalled in one server according to the related art, 100 or morecontainers may be managed by one server. This is because there isneither a hypervisor layer nor a VM OS layer and fewer physicalresources are used.

It is generally known that the hypervisor layer and the VM OS layer useabout 10 □ to about 20% of entire resources in a virtual environment. Ina physical server, it generally takes about 27 hours to build anoperating environment. In a VM, it takes about 12 minutes to use thetemplate function. On the other hand, it takes only about ten seconds tocreate a new container instance.

Also, container technology makes it possible to build a new environmentfaster than virtualization technology and may further reduce timerequired to build a new environment. Moreover, while a VM requires amanual task of loading data and causing a system to operate inconjunction with another system after building an environment, using acontainer makes it possible to omit such a task by inputting the taskinto a container image and thus is efficient.

Container technology has many advantages in terms of performance.Container technology involves a structure obtained by installing a hostOS on hardware and stacking a container which is a package of anapplication and a library on the host OS.

In an existing bear-metal environment, when a problem occurs in a securesocket layer (SSL) library, problems immediately occur in allapplications related to the SSL library. This is because of thestructure in which a single library is shared. On the other hand,according to container technology, internal libraries are used accordingto containers. Therefore, even when a failure occurs in one container,other services are not affected.

When comparing container technology with virtualization technology, thebiggest advantage of container technology is scalability which isapplicable where real-time quickness and response are needed. Referringto FIG. 4, virtualization generally extends in a scale-up fashion byadditionally allocating resources to a VM short of resources. On theother hand, containers are managed in a scale-out fashion byadditionally generating and running a container which plays the samerole as an existing container.

In the scale-out fashion, it is possible to cope with a failure or aservice expansion more flexibly. A container is so light and flexiblethat generating and running a new container is faster than recovering anexisting container when a failure occurs.

The hardware module 110 is installed in the Android compute node andprovides hardware-based functions of the mobile device, such as wirelessfidelity (WiFi), global positioning system (GPS), Bluetooth, camera, andglobal system for mobile communication (GSM) connection functions.

An OS of the Linux host 130 is installed on the hardware module 110, andthe analysis agent 150 identifies a problem occurring upon operation ofmalicious code in the Android containers 101, 102, and 103 through theLinux host 130, detects kernel-related malicious code behavior, andtransmits information on the kernel-related malicious code behavior tothe analysis server 50.

The cloud controller 30 is used to manage and configure the Androidcontainers 101, 102, and 103 through the container agent 170.

The analysis server 50 receives the information sent by the analysisagent 150 and detects a problem through a dynamic analysis and a staticanalysis of the malicious code. Also, the analysis server 50 instructsthe Android containers 101, 102, and 103 to install APK.

The monitoring server 70 is connected to the container agent 170 tomonitor states of the Android containers 101, 102, and 103 and resolvesanalysis collision and other problems of the Android compute node 10.

The private picocell network provides a mobile network function to theAndroid containers 101, 102, and 103.

The private picocell network may include a software-defined radio(SDR)-based RF transceiver 92 which uses a GSM module 90, a picocellplatform 94 which operates as a personal mobile network accessible witha GSM/long term evolution (LTE) module, and a management server 96 whichcollects GSM/LTE information from the picocell platform 94 and detectsmalicious behavior or watches a problem of the personal mobile network.

According to the above-described container platform 1 for analyzingAndroid malicious code, since the container technology is used, hardwarevirtualization technology such as the existing QEMU technology isunnecessary. Also, unlike a case of executing Android malicious code ina real phone, various kinds of equipment are not required, and it ispossible to provide expandability and flexibility.

Further, when malicious code is analyzed in an Android containeraccording to exemplary embodiments of the present disclosure, it ispossible to analyze APK and .so libraries in the Android space. Also,since the container may be easily backed up, it is possible to simplyrecover the container from various attacks.

Moreover, since information is directly acquired from real hardware,exemplary embodiments of the present disclosure provide higher speedthan a virtual environment and make it possible to prepare for anemulator bypassing technique. In addition, since a picocell network isused in exemplary embodiments of the present disclosure, it is possibleto cope with an attack through a real mobile network, and it is alsopossible to create a private network among containers.

FIG. 5 is a flowchart of a method of securing a mobile device using acontainer platform for analyzing Android malicious code according to anexemplary embodiment of the present disclosure.

The method of securing a mobile device using a container platform foranalyzing Android malicious code according to the present embodiment mayproceed in substantially the same configuration as that of the Androidcompute node 10 of FIG. 3 in the environment of the container platform 1of FIG. 2.

Therefore, in the environment of the container platform 1 of FIG. 2, thesame components as those of the Android compute node 10 of FIG. 3 willbe given the same reference numerals, and duplicate descriptions will beomitted.

The method of securing a mobile device using a container platform foranalyzing Android malicious code according to the present embodiment maybe performed by software (an application) for performing the method.

Referring to FIG. 5, the method of securing a mobile device using acontainer platform for analyzing Android malicious code according to thepresent embodiment involves generating, by the container agent 170 ofthe Android compute node 10, one or more Android containers 101, 102,and 103 which execute Android malicious code for dynamic analysis inresponse to a request received from the cloud controller 30 (operationS10).

The cloud controller 30 manages and configures the Android containers101, 102, and 103 through the container agent 170. The Androidcontainers 101, 102, and 103 may be plural in number and are designed toexecute Android malicious code for dynamic analysis.

The states of the Android containers 101, 102, and 103 may be generateddifferently according to an OS, a build version, a routine, a rootingstate, hardware information, and so on.

When the Android containers 101, 102, and 103 are generated, a problemoccurring upon operation of malicious code in the Android containers101, 102, and 103 is identified through the Linux host 130 (operationS30). An OS of the Linux host 130 is installed on the hardware module110.

The analysis agent 150 detects Kernel-related malicious code behaviorand transmits information on the kernel-related malicious code behaviorto the analysis server 50 (operation S50). The analysis server 50receives the information sent by the analysis agent 150 and detects aproblem through a dynamic analysis and/or a static analysis of themalicious code. Also, the analysis server 50 may instruct the Androidcontainers 101, 102, and 103 to install an APK.

The analysis agent 150 of the Android compute node 10 collects analysisinformation from the analysis server 50 (operation S70).

The container agent 170 may transmit state information of the Androidcontainers 101, 102, and 103 to the monitoring server 70. The monitoringserver 70 may be connected to the container agent 170 to monitor thestates of the Android containers 101, 102, and 103 and may resolve ananalysis collision of the Android compute node 10 and other problems.

The above-described method of securing a mobile device equipped with acontainer platform for analyzing Android malicious code may be embodiedin the form of an application or program instructions executable byvarious computer components and recorded in a computer-readablerecording medium. The computer-readable recording medium may includeprogram instructions, data files, data structures, or the like, solelyor in combination.

The program instructions recorded in the computer-readable recordingmedium may be specially designed or configured for the presentdisclosure or may be known to and used by those of ordinary skill in thecomputer software art.

Examples of the computer-readable recording medium include magneticmedia such as a hard disk, a floppy disk, and a magnetic tape, opticalrecording media such as a compact disc read-only memory (CD-ROM) and adigital versatile disc (DVD), magneto-optical media such as a flopticaldisk, and hardware devices such as a ROM, a random access memory (RAM),a flash memory, etc. specially configured to store and execute theprogram instructions.

Examples of the program instructions include a high-level language codeexecutable by a computer using an interpreter or the like as well as amachine language code created by a compiler. The hardware devices may beconfigured to operate as one or more software modules to performprocessing according to the present disclosure, and vice versa.

According to the above-described container platform for analyzingAndroid malicious code, container technology is used, and the hardwarevirtualization technology, such as existing QEMU technology, isunnecessary. Also, unlike a case of executing Android malicious code ina real phone, various kinds of equipment are not required, and it ispossible to provide expandability and flexibility.

Further, when malicious code is analyzed in an Android containeraccording to exemplary embodiments of the present disclosure, it ispossible to analyze APK and .so libraries in the Android space. Also,since the container may be easily backed up, it is possible to simplyrecover the container from various attacks.

Moreover, since information is directly acquired from real hardware,exemplary embodiments of the present disclosure provide higher speedthan a virtual environment and make it possible to prepare for anemulator bypassing technique. In addition, since a picocell network isused in exemplary embodiments of the present disclosure, it is possibleto cope with an attack through a real mobile network, and it is alsopossible to create a private network among containers.

The present disclosure proposes a platform for analyzing Androidmalicious code using container technology and shows high stability andflexibility in an Android device. Therefore, the present disclosure isexpected to be usefully applied to analyses of Android malicious code.

It should be apparent to those of ordinary skill in the art that variousmodifications and alterations can be made to the above-describedexemplary embodiments of the present disclosure without departing fromthe spirit or scope of the disclosure.

What is claimed is:
 1. A mobile device for analyzing malicious codeusing a container platform, the mobile device comprising: a containeragent generating at least one container directly executing maliciouscode for dynamic analysis in response to a request received from a cloudcontroller and checking a state of the at least one container; a host; ahardware module containing an operating system (OS) for the host; and ananalysis agent detecting a problem occurring upon an operation of themalicious code in the at least one container through the host, andtransmitting information of kernel-related malicious code behavior to ananalysis server, wherein the analysis server performs a dynamic analysisand a static analysis on the information of kernel-related maliciouscode behavior received from the analysis agent, and generates a packagekit file installation instruction to the at least one container toinstall the package kit, and wherein the container agent is coupled to amonitoring server, which monitors the state of the at least onecontainer and resolves an analysis collision thereof.
 2. The mobiledevice of claim 1, wherein the cloud controller manages the at least onecontainer through the container agent.
 3. The mobile device of claim 1,further comprising a private picocell network providing a mobile networkfunction to the at least one container.
 4. The mobile device of claim 3,wherein the private picocell network comprises: a software-defined radio(SDR)-based radio frequency (RF) transceiver; a picocell platformoperating as a personal mobile network which is accessible with a globalsystem for mobile communication (GSM) and/or long term evolution (LTE)module; and a management server collecting GSM/LTE information from thepicocell platform and detecting malicious behavior or watching a problemof the personal mobile network.
 5. A system for analyzing malicious codein a mobile device using a container platform comprising: a containeragent generating at least one container directly executing maliciouscode for dynamic analysis in response to a request received from a cloudcontroller and checking a state of the at least one container; a host; ahardware module containing an operating system (OS) for the host; ananalysis agent detecting a problem occurring upon an operation of themalicious code in the at least one container through the host, andtransmitting information of kernel-related malicious code behavior to ananalysis server, wherein the analysis server performs a dynamic analysisand a static analysis on the information of kernel-related maliciouscode behavior received from the analysis agent, and generates a packagekit file installation instruction to the at least one container toinstall the package kit; and a monitoring server to monitor the state ofthe at least one container and to resolve an analysis collision therein,wherein the monitoring server is coupled to the container agent.
 6. Thesystem of claim 5, wherein the cloud controller manages the at least onecontainer through the container agent.
 7. The system of claim 5, furthercomprising a private picocell network providing a mobile networkfunction to the at least one container.
 8. The system of claim 7,wherein the private picocell network comprises: a software-defined radio(SDR)-based radio frequency (RF) transceiver; a picocell platformoperating as a personal mobile network which is accessible with a globalsystem for mobile communication (GSM) and/or long term evolution (LTE)module; and a management server collecting GSM/LTE information from thepicocell platform and detecting malicious behavior or watching a problemof the personal mobile network.
 9. A method for analyzing malicious codeusing a container platform, the method comprising: generating, by acontainer agent, at least one container directly executing maliciouscode for dynamic analysis in response to a request received from a cloudcontroller; identifying a problem occurring upon an operation of themalicious code in the at least one container through a host; detectingand transmitting, by an analysis agent, information of kernel-relatedmalicious code behavior to an analysis server; performing, by theanalysis server, a dynamic analysis and a static analysis on theinformation of kernel-related malicious code behavior received from theanalysis agent; installing a package kit file in the at least onecontainer according to an instruction of the analysis server;transmitting state information of the at least one container to amonitoring server; and monitoring the state of the at least onecontainer and resolving an analysis collision thereof using themonitoring server.